Skip Menu |
 

This queue is for tickets about the CGI-Application-Plugin-CAPTCHA CPAN distribution.

Report information
The Basics
Id: 30759
Status: new
Priority: 0/
Queue: CGI-Application-Plugin-CAPTCHA

People
Owner: Nobody in particular
Requestors: klinteberg [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: not secure
Date: Thu, 15 Nov 2007 19:51:52 +0000
To: bug-cgi-application-plugin-captcha [...] rt.cpan.org
From: "Ludvig af Klinteberg" <klinteberg [...] gmail.com>
Download (untitled) / with headers
text/plain 583b
I might be horribly wrong, but I really think that CGI::Application::Plugin::Captcha is unsafe. A malicious programmer creating an application to use the service can just have his application send along a cookie that he has created himself, and with that supply an appropriate verification string for his cookie. To avoid that you need to include som kind of hidden server-side password in the string being encrypted, and also include it when you verify. -- Ludvig af Klinteberg Show quoted text
_____________________ The Yacht Week Mob: +46702403562 ludvig@theyachtweek.com www.theyachtweek.com


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.